troubleshooting Question

Centos 7 DNS server not replying to clients

Avatar of hbaber
hbaber asked on
LinuxDNS* CentOS
3 Comments1 Solution1636 ViewsLast Modified:
What have I missed?  

I am trying to configure a local DNS server in CentOS 7 and It appears that queries from the server are working to outside but clients are not getting responses from local server.  I can see the request coming in via tcpdump but local server isn't performing the query and replying to client.  



From server:
[root@zotac etc]# nslookup
> server
Default server: 10.30.3.5
Address: 10.30.3.5#53
> cnn.com
Server:         10.30.3.5
Address:        10.30.3.5#53

Non-authoritative answer:
Name:   cnn.com
Address: 151.101.64.73
Name:   cnn.com
Address: 151.101.192.73
Name:   cnn.com
Address: 151.101.0.73
Name:   cnn.com
Address: 151.101.128.73

[root@zotac etc]# netstat -lnp | grep named
tcp        0      0 10.30.3.5:53            0.0.0.0:*               LISTEN      10028/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      10028/named
udp        0      0 10.30.3.5:53            0.0.0.0:*                           10028/named
[root@zotac etc]#


From Windows client:
c:\>nslookup cnn.com.
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.30.3.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Server sees response but not forwarded to forwarding servers
[root@zotac ~]# tcpdump -vvv -s 0 -l -n port 53 -i enp2s0 | grep cnn.com
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10.30.3.253.55238 > 10.30.3.5.domain: [udp sum ok] 2+ A? cnn.com. (25)
    10.30.3.253.55239 > 10.30.3.5.domain: [udp sum ok] 3+ AAAA? cnn.com. (25)

I expect to see a query to ext DNS and/or reply from local DNS to client.


[root@zotac etc]# cat named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl "trusted" {
 10.30.3.0/24;
};

options {
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query { trusted; };
        allow-transfer { 10.30.3.5;};

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        forwarders {
                8.8.8.8;
                8.8.4.4;
                };
        forward first;
        listen-on port 53 {
                10.30.3.5;
                };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

key rndc-key {
        algorithm hmac-md5;
        secret "secretpassword";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
        };
zone "kfs.local" IN {
        type master;
        file "/var/named/kfs.local.hosts";
        allow-update { none; };
        };
zone "10.30.3.in-addr.arpa" {
        type master;
        file "/var/named/3.30.10.rev";
        };
[root@zotac etc]#
ASKER CERTIFIED SOLUTION
Chris Dent
PowerShell Developer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2010

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros